Incident Report: May 9 – 29, 2018

The following is the incident report for a traffic metadata leak that occurred between May 9 and May 29, 2018. While we consider the impact of the leak to be very limited, we take the privacy and security of all types of data very seriously, and we extend our sincerest apologies to everyone affected.

Issue

From May 9, 2018 to May 29, 2018, traffic information consisting of IP addresses, user agent (browser version), and URL referrer for visitors to a subset of FormAssembly forms was inadvertently leaked to a single third-party individual.

The individual discovered the issue and reached out to us on May 29 and has cooperated with us to identify the source of the issue, destroy the traffic metadata in his possession and sign a confidentiality agreement.

Through the referrer information available in the traffic data, the individual also had access to a number of pre-filling URLs, which would have given him access to some respondent data.

We’re confident that we’ve fully identified and resolved the issue and that all customer data remains safe.

The root cause of this issue is explained in the Root Cause section below. Impacted customers have been notified by email and the incident is closed.

The delay between the incident and this notification is due to factors outside of our control, as explained below.

Root Cause Analysis

For some time prior to 2017, the FormAssembly development team had used a “dummy” domain for internal use only. The domain was not available for purchase at the time and therefore could not be used outside of our private network.

While developing a new CSS stylesheet for FormAssembly forms, we inadvertently included an image hosted on this internal-only domain. Once deployed to customers, this simply resulted in an unresolvable URL and a broken image. We eventually fixed the URL, but since there was no noticeable impact, we didn’t actively confirm that the image was fixed for all customers. This resulted in a minority of customers still using stylesheets with a broken image.

At some point in 2017, the development team discontinued the use of the dummy domain, and switched to the more standard practice of using .test and .localhost domains for internal use. The stylesheets with the broken image were however still left unattended.

On May 1, 2018 Google released .app as a Top Level Domain, making it possible for anyone to register the domain we had been using for internal use only.

On May 5, an individual independently registered the domain and, on the 9th, set up their website.

At this point, any visit to forms that still referred to the broken image resulted in a web request to the individual’s server, to attempt to retrieve the image.

As part of the web request, visitor‘s IP addresses, browser version information (user agent string), and referrer URLs were recorded on the individual’s server logs. Since we did not intend this to happen, we consider this a data leak.

Additionally, some features in FormAssembly rely on pre-filling links that are expected to remain private. When unintentionally shared, each link can give access to a single respondent’s data under certain conditions. Since some of those links were recorded in the individual’s server log as the referrer URL, we consider this an aggravating circumstance.

Since this traffic data was only ever accessible to this single individual, who acted responsibly and cooperated with us to resolve the issue and destroy the server log in his possession, we consider the final impact to data privacy be fortunately very limited.

Resolution and Recovery

FormAssembly fixed the broken URL and terminated the traffic metadata leak within hours of being notified.

Over the following days, the incident response team worked with the individual to assert the scope of affected customers and secure the confidentiality and deletion of the traffic data.

On June 16, the individual confirmed with a sworn affidavit that the traffic data in his possession was deleted. The delay between the original report and the termination of the incident was caused by a technical limitation on the individual’s server preventing him from deleting the server logs manually.

Over the following week we analyzed the logs received to identify the list of affected customers.

Corrective and Preventative Measures

We have conducted an internal review and analysis of the issue. The following are actions we are taking to address the underlying causes of the issue and to help prevent any recurrence.

We’re updating our secure coding policy and training to formally restrict the use of internal domains to .test and .localhost TLDs only. (Although we had in fact already adopted the practice.)

We’ve reviewed our code base for any leftover non-local domains. No further instance of this issue was found.

Where possible, we’re further restricting the ability to share non-authenticated links to pre-filled forms.

FormAssembly is committed to continually and quickly improving our technology and operational processes to prevent such incidents. We appreciate your understanding and again apologize for the impact to you, your users, and your organization. We thank you for your business and continued support.
— The FormAssembly Incident Response Team